Guide to the Secure Configuration of Ubuntu 20.04

with profile CIS Ubuntu 20.04 Level 2 Workstation Benchmark
This baseline aligns to the Center for Internet Security Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.
This guide presents a catalog of security-relevant configuration settings for Ubuntu 20.04. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetubuntu-pro-1
Benchmark URL/usr/share/ubuntu-scap-security-guides/current/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml
Profile IDcis_level2_workstation
Started at2023-09-07T09:13:06
Finished at2023-09-07T09:13:40
Performed byvavirrus

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.128.0.3
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:4001:aff:fe80:3
  • MAC  00:00:00:00:00:00
  • MAC  42:01:0A:80:00:03

Compliance and Scoring

The target system did not satisfy the conditions of 187 rules! Please review rule results and consider applying remediation.

Rule results

159 passed
187 failed
1 other

Severity of failed rules

3 other
17 low
165 medium
2 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default62.374767100.000000
62.37%

Rule Overview

Group rules by:
TitleSeverityResult
 Guide to the Secure Configuration of Ubuntu 20.04 187x fail 1x notchecked
 System Settings 156x fail 1x notchecked
 Installing and Maintaining Software 11x fail
 System and Software Integrity 3x fail
 Software Integrity Checking 3x fail
 Verify Integrity with AIDE 3x fail
Install AIDEmedium
fail
Build and Test AIDE Databasemedium
fail
Configure Periodic Execution of AIDEmedium
fail
 Disk Partitioning 6x fail
Ensure /home Located On Separate Partitionlow
fail
Ensure /tmp Located On Separate Partitionlow
fail
Ensure /var Located On Separate Partitionlow
fail
Ensure /var/log Located On Separate Partitionmedium
fail
Ensure /var/log/audit Located On Separate Partitionlow
fail
Ensure /var/tmp Located On Separate Partitionlow
fail
 Sudo 2x fail
Install sudo Packagemedium
pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptymedium
fail
Ensure Sudo Logfile Exists - sudo logfilelow
fail
 Account and Access Control 26x fail 1x notchecked
 Warning Banners for System Accesses 2x fail
Verify Group Ownership of System Login Bannermedium
pass
Verify Group Ownership of Remote Login Bannermedium
pass
Verify Group Ownership of Message of the Day Bannermedium
pass
Verify ownership of System Login Bannermedium
pass
Verify ownership of Remote Login Bannermedium
pass
Verify ownership of Message of the Day Bannermedium
pass
Verify permissions on System Login Bannermedium
pass
Verify permissions on Remote Login Bannermedium
pass
Verify permissions on Message of the Day Bannermedium
pass
Ensure local login warning banner is configured properlymedium
fail
Ensure remote login warning banner is configured properlymedium
fail
Ensure message of the day is configured properlymedium
pass
 Protect Accounts by Configuring PAM 10x fail
 Set Lockouts for Failed Password Attempts 2x fail
Limit Password Reusemedium
fail
Set Deny For Failed Password Attemptsmedium
fail
 Set Password Quality Requirements 7x fail
 Set Password Quality Requirements with pam_pwquality 7x fail
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Lengthmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Special Charactersmedium
fail
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionmedium
fail
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersmedium
fail
Install pam_pwquality Packagemedium
fail
 Protect Physical Console Access 1x fail
Ensure authentication required for single user modemedium
fail
 Protect Accounts by Restricting Password-Based Login 5x fail
Set Account Expiration Following Inactivitymedium
fail
 Set Password Expiration Parameters 2x fail
Set Password Maximum Agemedium
fail
Set Password Minimum Agemedium
fail
Set Existing Passwords Maximum Agemedium
pass
Set Existing Passwords Minimum Agemedium
pass
Ensure all users last password change date is in the pastmedium
pass
 Restrict Root Logins 2x fail
Ensure default group for the root account is GID 0medium
pass
Verify Only Root Has UID 0high
pass
Ensure the group used by pam_wheel module exists on system and is emptymedium
fail
Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
pass
Enforce usage of pam_wheel with group parameter for su authenticationmedium
fail
 Secure Session Configuration Files for Login Accounts 8x fail 1x notchecked
 Ensure that Users Have Sensible Umask Values 4x fail 1x notchecked
Ensure the Default Bash Umask is Set Correctlymedium
fail
Ensure the Default C Shell Umask is Set Correctlyunknown
fail
Ensure the Default Umask is Set Correctly in login.defsmedium
fail
Ensure the Default Umask is Set Correctly in /etc/profileunknown
fail
Ensure the Default Umask is Set Correctly For Interactive Usersmedium
notchecked
Set Interactive Session Timeoutmedium
fail
User Initialization Files Must Be Owned By the Primary Usermedium
pass
All Interactive Users Home Directories Must Existmedium
pass
Ensure users own their home directoriesmedium
pass
Ensure appropriate umask set for addusermedium
fail
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
fail
Ensure no users have .forward filesmedium
pass
Ensure users' dot files are not group or world writablemedium
pass
Ensure appropriate homedir mode set for useraddmedium
fail
 System Accounting with auditd 75x fail
 Configure auditd Rules for Comprehensive Auditing 66x fail
 Record Events that Modify the System's Discretionary Access Controls 13x fail
Record Events that Modify the System's Discretionary Access Controls - chmodmedium
fail
Record Events that Modify the System's Discretionary Access Controls - chownmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fchownmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
fail
Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
fail
Record Events that Modify the System's Discretionary Access Controls - lchownmedium
fail
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
fail
Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
fail
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
fail
Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
fail
 Record File Deletion Events by User 4x fail
Ensure auditd Collects File Deletion Events by User - renamemedium
fail
Ensure auditd Collects File Deletion Events by User - renameatmedium
fail
Ensure auditd Collects File Deletion Events by User - unlinkmedium
fail
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
fail
 Record Unauthorized Access Attempts Events to Files (unsuccessful) 5x fail
Record Unsuccessful Access Attempts to Files - creatmedium
fail
Record Unsuccessful Access Attempts to Files - ftruncatemedium
fail
Record Unsuccessful Access Attempts to Files - openmedium
fail
Record Unsuccessful Access Attempts to Files - openatmedium
fail
Record Unsuccessful Access Attempts to Files - truncatemedium
fail
 Record Information on Kernel Modules Loading and Unloading 2x fail
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
fail
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
fail
Record Attempts to Alter Logon and Logout Events - faillogmedium
fail
Record Attempts to Alter Logon and Logout Events - lastlogmedium
fail
Record Attempts to Alter Logon and Logout Events - tallylogmedium
fail
 Record Information on the Use of Privileged Commands 22x fail
Ensure auditd Collects Information on the Use of Privileged Commands - atmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - chfnmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - insmodmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - modprobemedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - mountmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - rmmodmedium
fail
Record Any Attempts to Run ssh-agentmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
fail
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
fail
 Records Events that Modify Date and Time Information 5x fail
Record attempts to alter time through adjtimexmedium
fail
Record Attempts to Alter Time Through clock_settimemedium
fail
Record attempts to alter time through settimeofdaymedium
fail
Record Attempts to Alter Time Through stimemedium
fail
Record Attempts to Alter the localtime Filemedium
fail
Make the auditd Configuration Immutablemedium
fail
Record Events that Modify the System's Mandatory Access Controlsmedium
fail
Ensure auditd Collects Information on Exporting to Media (successful)medium
fail
Record Events that Modify the System's Network Environmentmedium
fail
Record Attempts to Alter Process and Session Initiation Informationmedium
fail
Record Events When Privileged Executables Are Runmedium
fail
Ensure auditd Collects System Administrator Actionsmedium
fail
Record Events that Modify User/Group Information - /etc/groupmedium
fail
Record Events that Modify User/Group Information - /etc/gshadowmedium
fail
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
fail
Record Events that Modify User/Group Information - /etc/passwdmedium
fail
Record Events that Modify User/Group Information - /etc/shadowmedium
fail
 Configure auditd Data Retention 5x fail
Configure auditd mail_acct Action on Low Disk Spacemedium
fail
Configure auditd admin_space_left Action on Low Disk Spacemedium
fail
Configure auditd Max Log File Sizemedium
fail
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
fail
Configure auditd space_left Action on Low Disk Spacemedium
fail
Ensure the audit Subsystem is Installedmedium
fail
Enable auditd Servicemedium
fail
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
fail
Extend Audit Backlog Limit for the Audit Daemonmedium
fail
 AppArmor 2x fail
Ensure AppArmor is installedmedium
pass
Ensure all AppArmor Profiles are in enforce modemedium
fail
Ensure all AppArmor Profiles are in enforce or complain modemedium
pass
Ensure AppArmor is enabled in the bootloader configurationmedium
fail
 GRUB2 bootloader configuration 1x fail
 UEFI GRUB2 bootloader configuration 1x fail
Set the UEFI Boot Loader Passwordhigh
fail
 Configure Syslog 6x fail
 Configure journald 3x fail
Ensure journald is configured to compress large log filesmedium
fail
Ensure journald is configured to send logs to rsyslogmedium
fail
Ensure journald is configured to write logfiles to persistent diskmedium
fail
 Ensure All Logs are Rotated by logrotate 1x fail
Ensure logrotate assigns appropriate permissionsmedium
fail
 Rsyslog Logs Sent To Remote Host 1x fail
Ensure Logs Sent To Remote Hostmedium
fail
Ensure rsyslog is Installedmedium
pass
Enable rsyslog Servicemedium
pass
Ensure permissions on all logfiles are configuredmedium
fail
Ensure rsyslog default file permissions configuredmedium
pass
 Network Configuration and Firewalls 25x fail
 iptables and ip6tables 9x fail
 Ensure loopback traffic is configured 6x fail
Trafic in on lo is allowedmedium
fail
Traffic out on lo is allowedmedium
fail
Inbound traffic for ::1/128 on any other interface is denied.medium
fail
Trafic in on lo is allowedmedium
fail
Traffic out on lo is allowedmedium
fail
Inbound traffic for 127.0.0.0/8 on any other interface is denied.medium
fail
 Strengthen the Default Ruleset 2x fail
Ensure default deny firewall policy - iptables6medium
fail
Ensure default deny firewall policymedium
fail
Install iptables-persistent Packagemedium
fail
Install iptables Packagemedium
pass
Remove iptables-persistent Packagemedium
pass
 IPv6 7x fail
 Configure IPv6 Settings if Necessary 7x fail
Configure Accepting Router Advertisements on All IPv6 Interfacesmedium
fail
Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
fail
Disable Kernel Parameter for IPv6 Forwardingmedium
fail
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultmedium
fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
fail
 Kernel Parameters Which Affect Networking 4x fail
 Network Related Kernel Runtime Parameters for Hosts and Routers 4x fail
Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesmedium
fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
fail
Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesmedium
pass
 Uncomplicated Firewall (ufw) 1x fail
Install ufw Packagemedium
pass
Remove ufw Packagemedium
fail
Verify ufw Enabledmedium
pass
Ensure default deny firewall policymedium
notapplicable
 Uncommon Network Protocols 4x fail
Disable DCCP Supportmedium
fail
Disable RDS Supportlow
fail
Disable SCTP Supportmedium
fail
Disable TIPC Supportmedium
fail
 File Permissions and Masks 10x fail
 Restrict Dynamic Mounting and Unmounting of Filesystems 7x fail
Disable the Automountermedium
pass
Disable Mounting of cramfslow
fail
Disable Mounting of freevxfslow
fail
Disable Mounting of hfslow
fail
Disable Mounting of hfspluslow
fail
Disable Mounting of jffs2low
fail
Disable Mounting of udflow
fail
Disable Modprobe Loading of USB Storage Drivermedium
fail
 Restrict Partition Mount Options 1x fail
Add nodev Option to /dev/shmlow
pass
Add noexec Option to /dev/shmlow
fail
Add nosuid Option to /dev/shmlow
pass
Add nodev Option to /home if it existsunknown
pass
Add nodev Option to /tmp if it existsmedium
pass
Add noexec Option to /tmp if it existsmedium
pass
Add nosuid Option to /tmp if it existsmedium
pass
Add nodev Option to /var/tmp if it existsmedium
pass
Add noexec Option to /var/tmp if it existsmedium
pass
Add nosuid Option to /var/tmp if it existsmedium
pass
 Restrict Programs from Dangerous Execution Patterns 2x fail
 Disable Core Dumps 2x fail
Disable Core Dumps for All Usersmedium
fail
Disable Core Dumps for SUID programsmedium
fail
 Services 31x fail
 Apport Service 1x fail
Disable Apport Serviceunknown
fail
 Cron and At Daemons 8x fail
 Restrict at and cron to Authorized Users if Necessary 2x fail
Verify Group Who Owns /etc/at.allow filemedium
pass
Verify Group Who Owns /etc/cron.allow filemedium
pass
Verify User Who Owns /etc/at.allow filemedium
pass
Verify User Who Owns /etc/cron.allow filemedium
pass
Verify Permissions on /etc/at.allow filemedium
pass
Verify Permissions on /etc/cron.allow filemedium
pass
Ensure at is restricted to authorized usersmedium
fail
Ensure cron is restricted to authorized usersmedium
fail
Enable cron Servicemedium
pass
Verify Group Who Owns cron.dmedium
pass
Verify Group Who Owns cron.dailymedium
pass
Verify Group Who Owns cron.hourlymedium
pass
Verify Group Who Owns cron.monthlymedium
pass
Verify Group Who Owns cron.weeklymedium
pass
Verify Group Who Owns Crontabmedium
pass
Verify Owner on cron.dmedium
pass
Verify Owner on cron.dailymedium
pass
Verify Owner on cron.hourlymedium
pass
Verify Owner on cron.monthlymedium
pass
Verify Owner on cron.weeklymedium
pass
Verify Owner on crontabmedium
pass
Verify Permissions on cron.dmedium
fail
Verify Permissions on cron.dailymedium
fail
Verify Permissions on cron.hourlymedium
fail
Verify Permissions on cron.monthlymedium
fail
Verify Permissions on cron.weeklymedium
fail
Verify Permissions on crontabmedium
fail
 Obsolete Services 2x fail
 Telnet 1x fail
Remove telnet Clientslow
fail
Uninstall rsync Packagelow
fail
 SSH Server 20x fail
 Configure OpenSSH Server if Necessary 19x fail
 Ensure SSH Access is Limited 4x fail
Restrict sshd user access via AllowGroupsmedium
fail
Restrict sshd user access via AllowUsersmedium
fail
Restrict sshd user access via DenyGroupsmedium
fail
Restrict sshd user access via DenyUsersmedium
fail
Disable Host-Based Authenticationmedium
pass
Disable SSH Access via Empty Passwordshigh
fail
Disable SSH Support for .rhosts Filesmedium
fail
Disable SSH Root Loginmedium
fail
Disable SSH TCP Forwardingmedium
fail
Disable X11 Forwardingmedium
fail
Do Not Allow SSH Environment Optionsmedium
fail
Enable PAMmedium
pass
Enable SSH Warning Bannermedium
fail
Set SSH Idle Timeout Intervalmedium
fail
Set SSH Client Alive Count Maxmedium
fail
Set SSH LoginGraceTime limitmedium
fail
Set LogLevel to INFO or VERBOSElow
fail
Set SSH authentication attempt limitmedium
pass
Set SSH MaxSessions limitmedium
fail
Ensure SSH MaxStartups is configuredmedium
fail
Use Only Approved Ciphersmedium
fail
Use Only Approved KEXsmedium
pass
Use Only Approved MACsmedium
fail
Verify Group Who Owns SSH Server config filemedium
pass
Verify Owner on SSH Server config filemedium
pass
Verify Permissions on SSH Server config filemedium
fail
Verify Permissions on SSH Server Private *_key Key Filesmedium
pass
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
Benchmark built by Ubuntu Security Guide